Google and Symantec Trust Issues Near Conclusion

Symantec Will Partner With A CA To Issue Certificates

Last Friday Google and Symantec shared a proposal that will allow Symantec to move forward following the violations and mis-issuances that were uncovered earlier this year.

Google and Symantec have both noted that some of the specifics may change but they are close to “converging on [a proposal] that strikes a good balance of addressing security risk and mitigating interruption.”

The previous proposal from Google involved a complicated set of restrictions on Symantec certificates as well as a staged distrust of existing certificates. This would have put Symantec and its customers into a tricky position as Symantec would have been forbidden from offering the same features as other CAs.

That has been thrown out in favor of a more radical change which will remove most of the burden from Symantec’s customers.

Under the new proposal, Symantec will be partnering with another CA to continue issuing certificates while it revamps its own operations. The majority of the work required to execute this plan will be undertaken by Symantec itself. Users will see relatively few changes and will be able to get new certificates that do not have any restrictions placed on them.

For browsers, it was incredibly important to separate new and old Symantec certificates with a new set of root certificates. This gives them the ability to control which certificates are trusted through technical measures – instead of policies – which is considerably more reliable.

Here are the highlights:

As with previous plans, these actions apply to all Symantec operated CAs which includes GeoTrust, Thawte, and RapidSSL.

Starting August 8th, Symantec certificates will need to be issued by a “Managed CA” – another certificate authority who Symantec has partnered with. It is not yet known who will be working with Symantec.

These certificates will be cross-signed by existing Symantec roots in order to leverage their expansive root ubiquity. This allows new certificates to be trusted on the huge variety of legacy devices that trust Symantec’s existing roots.

Certificates issued by this Managed CA will not face any unique restrictions. This means Symantec certificates will be able to be issued in accordance with the industry standard rules. Their EV certificates will continue to be displayed with the green address bar UI.

Existing certificates issued before June 1st 2016 (when Symantec certificates were required to comply with Chrome’s Certificate Transparency policy) will need to be replaced. Chrome will distrust those certificates over a two-phase period starting in August (with the release of Chrome 62).

Existing certificates issued after June 1st 2016 will not be affected. Owners of these certificates will not need to have them revalidated/reissued, or see any reductions in validity period. EV certificates will continue to have EV UI.

While all of this is happening Symantec will be providing audits and reports to Google and the community to show its progress on fixing the errors that led to its violations. They will also be working on submitting new root certificates to root programs so that there can be a technically viable way to begin validating and issuing certificates again.

Symantec’s partner CA will continue to handle issuance and validation until Symantec’s new root certificates are accepted into trust stores. This is no small feat for any company – including veteran CAs. While some root programs – like Mozilla’s – are transparent and well documented, others (*cough* Apple *cough*) are spoken of like urban legends and can take significantly longer to work with.

It will likely take two or more years before Symantec is ready to bring everything back in-house. But in the meantime, their customers will continue to be able to buy and use certificates as they have been, with no complicated or inconvenient restrictions.

Again, note that this is still not a final plan. While this process seems arduous, it makes sense when you consider the scale of Symantec’s business. On Friday, Symantec said that it “[is] carefully reviewing this proposal and will respond shortly with feedback for the community’s consideration.” We expect any final tweaks to made shortly, at which point we will post more details regarding upcoming changes and actions that Symantec certificate users will need to be prepared for.

Mozilla is in a similar position as Google: it has proposed a plan that still needs to be fine-tuned. It is very similar to Google’s, with one major difference being that Symantec certificates would be limited to 400 days of validity. Mozilla is also debating the idea that Symantec needs to outsource its CA duties while the new PKI is started. Mozilla is conscious of the fact that Symantec will have to follow the strictest set of rules across all root programs, and therefore Mozilla is trying to bring its plan to parity with Google’s.

As is the norm for the industry, Microsoft and Apple have said very little and have not made any public statement on what they will be doing. Historically their root programs have been more lenient, and are therefore less important when determining impact to users.

2 comments

Err, this whole process was begun by Mozilla, whom had to put up with a very lack-lustre approach to public problem solving from Symantec, who eventually then seemingly snubbed Mozilla and went off to strike a plan with Google.

That isn’t quite how it works. Certificates are issued by CAs, but are primarily used in software that is developed by other companies. Those software companies can decide what CAs they trust and how they trust them. Most of the major browsers run “Root Programs” which is a formal mechanism for deciding this.

When a CA misbehaves, as Symantec has, each root program has autonomy to decide how to handle it. Mozilla, Google, Apple, and Microsoft all run independent root programs for their browsers.

Mozilla is still working on its own decision for Symantec. However, because of larger industry dynamics, Google has sort of “taken the lead” because their actions will have the largest impact.

Symantec can’t shop around for deals. They have to come to an agreement with each root program, and for the most part, the root program has the vast majority of the bargaining power.